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Symbolic data structures for model checking timed systems have been subject to a significant re- 
search, with Difference Bound Matrices (DBMs) still being the preferred data structure in several 
mature verification tools. In comparison, discretization offers an easy alternative, with all opera- 
tions having linear-time complexity in the number of clocks, and yet valid for a large class of closed 
systems. Unfortunately, fine-grained discretization causes itself a state-space explosion. We intro- 
duce a new data structure called time-darts for the symbolic representation of state-spaces of timed 
automata. Compared with the complete discretization, a single time-dart allows to represent an ar- 
bitrary large set of states, yet the time complexity of operations on time-darts remain linear in the 
number of clocks. We prove the correctness of the suggested reachability algorithm and perform sev- 
eral experiments in order to compare the performance of time-darts and the complete discretization. 
The main conclusion is that in all our experiments the time-dart method outperforms the complete 
discretization and it scales significantly better for models with larger constants. 

1 Introduction 

Timed automata (H are a well studied formalism for modelling and verification of real-time systems. 
Over the years extensive research effort has been made towards the design of data structures and algo- 
rithms allowing for efficient model checking of this modeling formalism. These techniques have by now 
been implemented in a number of mature tools (e.g. Uppaal (4), IF j9|, Kronos [14], PAT 11211 . Rabbit 
(6), RED ifTfjl ). with zone-based analysis lfT5l l5l still being predominant, stemming from that fact that 
Difference Bound Matrices (DBMs) offer a very compact data structure for efficient implementation of 
the various operations required for the state-space exploration. Still the DBM data structure suffers from 
the fact that all operations have at least quadratic — and the crucial closure operation even cubic — time 
complexity in the number of clocks (though for diagonal-free constraints the operations can be imple- 
mented in quadratic time 11231 ). In contrast, as advocated in Ifl0l[l9l , the use of discretization offers an 
easy alternative, with all operations having linear complexity in the number of clocks, and yet valid for 
the large — and in practice often sufficient — class of closed systems that contain only nonstrict guards; 
moreover for reachability checking the continuous and discrete semantics coincide on this subclass. 

As an example consider the timed automaton shown in Figure [Q containing n clocks and n self-loops 
where the i'th loop has the guard Xj = i and resets the clock x,. We are interested in whether or not we 
can reach the Goal location. For this to happen, all clocks xi, . . . ,x n must simultaneously have the value 
zero, corresponding effectively to calculating the least common multiple of the numbers from 1 to n. In 
Figure Q] we compare the verification times of the zone-based reachability performed in UPPAAL with 
that of a simple Python based implementation of discrete time reachability checker for timed automata. 
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Figure 1 : Discrete vs. zone-based reachability algorithm (time in seconds) 



Opposite to what one might expect, it turns out that in this case the naive discrete implementation without 
any speed optimizations outperforms a state-of-the-art model checking tool. 

On the other hand, the disadvantage of discretization is that the number of states to be considered ex- 
plodes when the size of the constants appearing in the constraints of the timed automaton are increased. 
In fact, the experimental results of Lamport fl9l show that the zone-based methods outperform discreter- 
ized methods when the maximum constant in the timed automaton exceeds 10. Also in [19] the BDD- 
based model checker SMV was applied to symbolically represent the discreterized state-space. This 
representation is less sensitive to the maximum constant of the model, yet in experimental results (7] 
it appears that the zone-based method is still superior for constants larger than 16. 

Inspired by the success of discretization reported in Figure [Q we revisit the problem of finding effi- 
cient data structures for the analysis of timed automata. In particular, we introduce a new data structure 
called time-darts for the symbolic representation of the state-spaces of timed automata. Compared with 
the complete discretization, a single time-dart allows us to represent an arbitrary large set of states, yet 
the time complexity of operations remain linear in the number of clocks, providing a potential advantage 
compared to DBMs. 

We propose a symbolic reachability algorithm based on a forward search. To ensure the termination 
of the forward search the so-called extrapolation of time darts with respect to the maximum constant 
appearing in the model is required. Given the subtleties of extrapolation^ we prove the termination 
and correctness of the proposed algorithm. We perform several experiments in order to compare the 
performance of time-darts versus the complete discretization representation. The main conclusion is 
that the time-dart method consistently outperforms the complete discretization and it is particularly well 
suited for scaling up the constants used in the model. Given the simplicity of implementing discrete- 
time algorithms compared to the DBM-based ones, our method can be in practice well suited for the 
verification of closed time systems with moderately large constants. 



2 Timed Automata 

Let N be the set of nonnegative integers and let N°° = NU {°°}. The comparison and addition operators 
are defined as expected, in particular n < oo and n + oo = oo for n G N. 

A Discrete Timed Transition System (DTTS) is a pair T = (S, — >) where S is a set of states, and 

— >C S x (NU {t}) x S is a transition relation written s — > s' if (s,d,s') £ — > where d £ N for delay 

'Despite several earlier claims, it was not before |8| that a complete — and a quite non-trivial — proof of correctness of 
zone-based forward reachability was given. 
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actions, and s s' if (s, z,s') G — > for switch actions. By — >* we denote the reflexive and transitive 

closure of the relation — >=— D\J de - M -^-K 

Let C be a finite set of clocks. A (discrete) clock valuation of clocks from C is a function v : C — > N. 
The set of all clock valuations is denoted by ~¥ . Let v G ^. We define the valuation v + d after a delay 

def 

of <i € N time units by (v + d) (x) = v(x) + d for every x G C. For a subset C C of clocks we define 

def 

the valuation v[/? := 0] where all clocks from R are reset to zero by v[R := 0] (x) = v(x) for x € C\R and 

v[rt :=0](x) = OforxGtf. 

A nonstrict (or closed) time interval I is of the form [a, b] or where a, ft G N and a < b. The 
set of all time intervals is denoted by Jf . We use the functions ub, lb : J? — > N to return the upper resp. 
lower bound of a given interval. A clock guard over the set of clocks C is a function g : C — > J? that 
assigns a time interval to each clock. We denote the set of all clock guards over C by ^(C). We write 
v |= g for a valuation vef and a guard g G S^(C) whenever v(x) G g(x) for all x G C. 

Timed Automaton A ft'mec? automaton (TA) is a tuple A = (L,C, — where L is a finite set of 

off 

locations, C is a finite set of clocks, — s-C L x (C) x 2 C x L is a finite transition relation written £ — > £' 
for (£,g,R,£') G — >, and £o G L is an initial location. 

Note that we do not consider clock invariants as they can be substituted by adding corresponding clock 
guards to the outgoing transitions while preserving the answers to location-reachability checking. 

A configuration of a timed automaton A is a pair (£,v) where £ G L and vGf. We denote the set 

def 

of all configurations of A by Conf(A). The initial configuration of A is (^q,vo) where vq(jc) = for all 
xGC. 

def 

Discrete Semantics A TA A = (L,C, — >,£q) generates a DTTS Tj)s(A) = (Conf(A), — ^ds) where 
states are configurations of A and the transitions are given by 

(£,v) -^ DS (£',v[R:=0]) if £ ^4 £' such that v |= g 
(£,v)-U DS (£,v+d) ifdeK 

The discrete semantics clearly yields an infinite state space due to unbounded time delays. We will 
now recall that the reachability problem for a TA A can be solved by looking only at a finite prefix of 
the state space up to some constant determining the largest possible delay. Let MC be the largest integer 
that appears in any guard of A. Two valuations v, v' G "f are equivalent up to the maximal constant MC, 
written v =mc v', if 

Vx G C. v(x) = v'(x) V (v(x) > MC A v'(x) > MC). 

Observe that the equivalence relation =mc has only finitely many equivalence classes as there are 
finitely many clocks and each of them is bounded by the constant MC. 

Lemma 2.1 Let v,v' G Y s.t. v =mc v ' an d let g G ^(C) be a guard where < lb(g(x)) < MC, and 
ub(g(x)) = oo or < ub{g{x)) < MC for all x G C. Then v (= g iffv' (= g. 

Moreover, any two configurations with the same location and equivalent valuations are timed bisim- 
ilar (for the definition of timed bisimilarity see e.g |[20l ). 

Lemma 2.2 The relation B = {((£,v), [£,v') \ v =mc v'} is a timed bisimulation for any timed automaton 
with its maximum constant MC. 

Proof Let ((£,v), (£,v')) G B. We analyse only the switch and delay actions from (£,v); the situation for 
the transitions from (£,v') is symmetric. 
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• Assume that (£,v) —^ds (£\ v [R '■= 0]) via a transition £ £'. Due to Lemma [27TI and the fact 
that v |= g, we get V \= g. Hence also (£,v') -^ds (£',v'[R := 0]) and it is easy to verify that 
v[tf:=0]= J ifcv / ER:=0]. 

• Assume that (£,v) -^ds (£,v + d). We want to argue that also (£,v') -^ds {£,v' + d) such that 
v + d =mc v ' + d, however, this is easy to see from that facts that (i) if v(x) , v' (x) > MC then also 
(v + d)(x),(v f + d)(x) > MC and (ii) if v{x) = v'(x) < MC then (v + d)(x) = (v' + d)(x). | 

We now define an alternative discrete semantics of TA with only finitely many reachable configura- 
tions. First, for the maximum constant MC, we define a bounded addition operator 

deffMC+1 if n + m>MC, 
n® MC m = < , 

\n + m otherwise. 

The operation (Bmc is in a natural way extended to functions and tuples. 

Bounded Discrete Semantics A TA A = (L,C, — >,£o) with the maximal constant MC generates a 

def 

DTTS Tbds{A) = (Conf(A), — >bds) where states are configurations of A and the transition relation 
— ► is defined by 

(£,v) ——^bds {£'MR := 0]) if £ ^4- £' such that v |= g 
, v ©mc d) if d € N. 

We say that a location £ g is reachable in Tds{A) resp. in Tbds{A) if {£q,Vq) — >* (£ g ,v) for some 
valuation v where — > is — >d$ resp. — >bds- 

We conclude that the bounded semantics preserves reachability of locations, the main problem we 
are interested in. This fact follows from Lemma I2l2l 

Theorem 2.3 A location £ is reachable in Tds(A) iff t is reachable in Tbds(A)- 

3 Naive Reachability Algorithm 

We can now describe the naive search algorithm that explores in a standard way, point by point, the 
finite state-space of the bounded semantics and provides the answer to the location reachability prob- 
lem. Algorithm Q] searches through all reachable states, starting from the initial location, until a goal 
configuration is found (returning true) or all configurations are visited (returning false). Notice that the 
algorithm is nondeterministic as it is not specified what element should be removed from Waiting at 
line [5] (such choice depends on the concrete search strategy like DFS or BFS). The next theorem states 
that Algorithm Q] is correct. 

Theorem 3.1 Let A be a timed automaton and let £ g be a location. Algorithm\l}terminates, and it returns 
true iff tg is reachable in the discrete semantics Tos(A). 

Proof First notice that the algorithm terminates because there is only a finite number of configurations 
that can be possibly added to Waiting: the number of locations is finite and due to the bounded addition 
at line [9] the total number of configurations is finite too. Whenever a configuration is removed from the 
set Waiting, it is added to Passed (line [6]) and can never be inserted into Waiting again due to the test 
at line [12] As we remove one element from Waiting each time the body of the while-loop is executed, 
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Algorithm 1: Naive reachability algorithm 



Input: A timed automaton A = (L,C, — >,£o) an d a location 
Output: true if £ g is reachable in 7bs(A), false otherwise 
1 begin 

2 
3 
4 
5 
6 
7 



9 
10 



Passed := 0; Waiting := 0; 
AddToPW (£ ,v ) 
while Waiting ^ do 

remove some (£, v) from Waiting 
Passed := Passed Li {(l,v)} 

forall the {£' ,v') swc/i tfza* (£,v) -^bds (£',v') do 
| AddToPW (f ,v') 

AddToPW(£,(v0Mcl)) 
return false 



11 AddToPW v) 

12 if (£,v) ^Passed U Waiting then 

13 iS £ = £ g then 

14 | return true /* and terminate the whole algorithm */ 

15 else 

16 I Waiting := Waiting U{(£,v)} 



the algorithm necessarily terminates either at line \\0\ or even earlier at line [14] if the goal location is 
reachable. 

Now we prove the correctness part. By Theorem 12.31 we can equivalently argue that the algorithm 
returns true iff £ g is reachable in Tbds(A). 

"=>■": Assume that Algorithm Q] returns true. We want to show that the location £ g is reachable in 
Tbds(A). This can be established by the following invariant: any call of AddToPW with the argument 
(£,v) implies that the configuration (£,v) is reachable in Tbds{A). For the initialisation at line [3] this 
clearly holds. In the while-loop the calls to AddToPW are at lines [8] and [9] At line [8] we know by the 
invariant that (£,v) is reachable and we call AddToPW only with (£' ,v') such that (£,v) -^bds {£' ,v'), 
so the invariant is preserved. Similarly at line [9] for the argument {£, {v®mc 1)) of AddToPW holds that 

(£,v) — —^bds {£■> {v@mc 1)). so it is reachable as well. 

"<=": Assume that a configuration {£' ,v*) is reachable via n transitions in ?bds(A), formally 
(^O)Vo) — > BDS (£' \v'), where (without loss of generality) all delay transitions in the sequence are of 

the form —>bds> i n other words they add exactly one-unit time delay. By induction on n we will estab- 
lish that during any execution of the algorithm there is eventually a call of AddToPW with the argument 
(£',v'), unless the algorithm already returned true. If n = then the claim is trivial due to the call at 
line [3] If n > then either (i) (£q,vq) — y'^^ (£,v) —^-bds (£' \v') with the last switch action or (ii) 

(^O)Vo) — >b1ds (^' v ) ~^bds (£' \ v ') with the last one-unit delay action. By induction hypothesis, unless 
the algorithm already returned true, there will be eventually a call of AddToPW with the argument (£, v) 
and this element is added to the set Waiting. Because the algorithm terminates, the element (£,v) will 
be eventually removed from Waiting at line [5] and its switch successors and the one-unit delay successor 
will become arguments of the call to AddToPW at lines [8] and |9l Hence the induction hypothesis for the 
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time-dart ((2,0), 2, 5) 
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Figure 2: A time-dart (y,w,p) where y(x) = 2, y(y) = 0, w = 2 and p = 5 



cases (i) and (ii) is established. | 

4 Time-Dart Data Structure 

We shall now present a novel symbolic representation of the discrete state space. The symbolic structure, 
we call it a time-dart, allows us to represent a number of concrete configurations in a more compact way 
so that time successors of a configuration are stored without being explicitly enumerated. We start with 
the definition of an anchor point, denoting the beginning of a time-dart. 

An anchor point over a set of clocks C is a clock valuation y : C — > N where y(x) = for at least 
one x £ C. We denote the set of all anchor points over a set of clocks C by Anchors (C). Now we are 
ready to define time-darts. 

Time-Dart A time-dart over a set of clocks C is a triple (y,w,p) where y € Anchors{C) is an anchor 
point, w G N is a waiting distance, and p € N°° is a passed distance such that w < p. 

The intuition is that a time-dart describes the corresponding passed and waiting sets in a given lo- 
cation. Figure [2] shows a dart example with two clocks x and y, anchor point (2,0), waiting distance 
2 and passed distance 5. The empty circles represent the points in the waiting set and the filled circles 
represent the points in the passed set, formally defined by: Waiting (y,w,p) = {(y+d) \ w < d < p} and 
Passed(y,w,p) = {(y+d) \ d>p}. 

The passed-waiting list is represented as a function from locations and anchor points to the corre- 
sponding waiting and passed distances (here _L represents the undefined value): 

PW:Lx Anchors — > (N x N°°) U {_L} . 

Such a structure can be conveniently implemented as a hash map. A given passed-waiting list P W defines 
the sets of passed and waiting configurations. 



Waiting(PW) = {(i,v) \ 3y.PW(£,y) = (w,p) ^ _L and v £ Waiting (y,w,p)} 
Passed(PW) = {(£,v) \ 3y.PW(£,y) = (w,p) / _L and v e Passed(y,w,p)} 
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Algorithm 2: Time-dart reachability algorithm 



Input: A timed automaton A = (L,C, — >,£o) an d a location f s £l 
Output: true if £ g is reachable in 7bs(A), false otherwise 



1 begin 



2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 



PW(£, y) := 1 for all (£, y) /* default value */ 
AddToPW(£ , 7o,0,°°) where y (x) := for all x £ C 
while 3(£, y). PW(£, y) = (w,p) and w < p do 
PW(£,y) := (w,w) 
foreach (£,g,R,£') G — ► do 

star? := max(w,max({Z&(g(x)) — y(jc) | x E C})) 

:= min({«Z7(g(x)) — y(x) | x G C}) 
if (start < p A star? < enrf) then 
if/? = then 
| AddToPW (£', (y ©mc - start, start, °°) 
else 

stop := max{itor?,MC+ 1 — min^cxR y( x )} 
for « := start to mm(end,p— I, stop) do 
| AddToPW (f, (y©MC «)[/?:= 0],0,oo) 
return false 



17 AddToPW (£, y w, p) 

18 if £ = £g then 

19 | return true /* and terminate the whole algorithm */ 

20 if PW(£, y) = ± then 

21 | PW{£,y):={w,p) 

22 else 



23 
24 



(wV) :=PW(£,J) 

PW(£,y) := (min(w,w'),min(p,p')) 



5 Reachability Algorithm Based on Time-Darts 

We can now present Algorithm [2] showing us how time-darts can be used to compute the set of reachable 
states of a timed automaton in a compact and efficient way. The algorithm repeatedly selects from the 
waiting list a location £ with a time-dart (y,w,p) that still contains some unexplored points (w < p). 

Then for each edge £ — £' in the timed automaton it computes the start and end delays from the anchor 
point such that start is the minimum delay where the guard g gets first enabled and end is the maximum 
possible delay so that g is still enabled. Depending on the concrete situation it will add a new time-dart 
(or a set of darts) with location £' to the waiting list by calling AddToPW. A switch transition is always 
followed by a delay transition that is computed symbolically (including in a single step all possible 
delays). There are several cases that determine what kinds of new time-darts are generated. Figure [3] 
gives a graphical overview of the different situations. In Figure [3a] we illustrate the produced time-dart 
that serves as the argument for the call to AddToPW at line[TT]of the algorithm (no clocks are reset). Here 
the anchor point yis not modified because ((y©MC start) — start) = y. Figure [3b] shows another example 
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start — 4, end = 5 
y®Mcstart= (6,4) 
y®Mcend = {l,5) 



(a) Unchanged anchor point 




I — | — , | — ; — | — | — | — L_> I — m m 

* r MC '. 5 * e yr 

start = 4, end = °° 
y+ start = (7,4) 
70mc start = (6,4) 
(yffiMC start)- start = (2,0) = / 

(b) Shift of anchor point 




start = 2, end = 6 



(c) Reset of a clock 
Figure 3: Successor generation for a selected time-dart 
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Figure 4: Example of an execution of the algorithm (columns represent the number of iterations of the 
main while-loop; all unlisted pairs of locations and anchor points are constantly having the value _L) 

of a call at line [TT] where the anchor point changes. Finally, Figure [3c] explains the case where some 
clocks are reset and several new darts are added in the body of the for-loop at line Q3] of the algorithm 
(the for-loop starts from start and stops as soon as either end, the beginning of the passed list, or the 
number stop — used for performance optimization-is reached). We note that the figures show the time- 
darts that the function AddToPW is called with; inside the function the information already stored in the 
passed-waiting list for the concrete anchor point and location is updated so that we take the minimum of 
the current and new waiting and passed distances (line|24]of the algorithm). 

Let us now demonstrate the execution of Algorithm [2] on the automaton depicted in Figure |U where 
we ask if the goal location £3 is reachable from the initial state {£q,vq) where vq(x) = vo(y) = 0. The 
values stored in the passed-waiting list after each iteration of the while-loop are shown in the table such 
that a column labelled with a number i is the status of the passed-waiting list after the i'th execution of 
the body of the while-loop; all values for anchor points not listed in the table are constantly _L. 

Initially we set PW(£o, (0,0)) = (0,°°), meaning that all points reachable from the initial valuation 
after an arbitrary delay action belong to the waiting list and should be explored. As £q is not the goal 
state, the algorithm continues with the execution of the main while-loop. In the first iteration of the 
loop we pick the only element in the waiting list so that £ = £0, 7= (0,0), w = and p = °°. Then we 
update PW(£o, (0,0)) to (0,0 jl according to line [5] of the algorithm, meaning that all points on the dart 
are now in the passed list. After this we consider the transition from £q to £\ with the guard x G [2,°°) 
(and the implicit guard y € [0,°°)) and calculate the values of start (minimum delay from the anchor 
point to satisfy the guard and at the same time having at least the delay w where the waiting list starts) 
and end (maximum delay from the anchor point so that the guard is still satisfied). In our example we 
have start = max(0, (2 — 0), (0 — 0)) = 2 and end = min((oo — 2), (00 — 0)) = 00. 

Next we consider the test at line [9] that requires that the minimum delay start to enable all guards is 
not in the region of already passed points (start < p) and at the same time that it is below the maximum 
delay after which the guard become disabled (start < end). If this test fails, there is no need to do 



2 In each column we mark by bold font the element that is picked in the next iteration of the while-loop. 
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anything with the currently picked element from the waiting list. As the values in our example satisfy the 
condition at line [9] and no clocks are reset, we update according to line [TT] of the algorithm the value of 
(^i, (0,0)) to (2,oo). This means that in the future iterations we have to explore in location l\ all points 

(2,2), (3,3), (4,4), Note that the addition and subtraction of start at line[TT]had no effect as none of 

the clocks after the minimum delay exceeded the maximum constant 2; should this happen the values 
exceeding the maximum constant get truncated to MC + 1 . 

In the second iteration of the while-loop we select the location and anchor point (£i,(0,0)), with 
w = 2 and p = oo, set it to (2,2) in the table and mark it in bold as the selected point in the previous 
column. This time we have to explore two edges. First, we select the self-loop that resets the clock x 
and we get start = 2 and end = °°. Now we execute the lines [10] to [15] as the edge contains a reset. The 
for-loop will be run for the value of n from 2 to 3. The upper-bound of 3 for the for-loop follows from 
the fact that MC = 2 and the maximum value of a clock that is not reset in the anchor point is 0. In 
the for-loop we add two successors (line [TBI) at the location £\ with the anchor points (0,2) and (0,3). 
Second, if we consider the edge from £\ to £2 we can see that in location £2 the anchor point (0,0) is set 

to (0,oo). 

The remaining values stored in the passed-waiting list are computed in the outlined way. We can 
notice that after the 7th iteration of the while-loop the set Waiting (PW) is empty and the algorithm 
terminates. As the location £3 has not been discovered during the search, the algorithm returns false. 

The correctness theorem requires a detailed technical treatment and its complete proof is given in the 
full version of this paper. Termination follows from the fact that newly added anchor points are computed 
as {y®Mcstart) — start or {y@MC n ) [R '■= 0] which ensures a finite size of the passed-waiting list and that 
every time-dart (7, w, p) on the list satisfies < w < MC, w < p, and p < MC or p = 00. Soundness proof 
is by a case analysis establishing a loop-invariant that every call to AddToPW only adds time-darts that 
represent reachable configurations in the bounded semantics. Finally, the completeness proof is done 
by induction on the length of the computation leading to a reachable configuration, taking into account 
the nondeterministic nature of the algorithm, the fact that =mc is a timed bisimulation, and it makes a 
full analysis of the different cases for adding new time-darts present in the algorithm for its performance 
optimization. 

Theorem 5.1 Let A be a timed automaton and let £ g be a location. Algorithm\2\terminates, and it returns 
true iff £ g is reachable in the discrete semantics Tds(A). 

6 Experiments 

We have conducted a number of experiments in order to test the performance of the time-dart state-space 
representation. The experiments were done within the project opaal lfT2ll . a model-checking framework 
designed explicitly for fast prototyping and testing of verification algorithms using the programming lan- 
guage Python. The tool implements the pseudocode of both the fully discrete (called naive in the tables) 
as well as the time-dart reachability algorithms based on passed-waiting list presented in Section [4] 

The experiments were conducted on Intel Core 2 Duo P8600@2.4Ghz running Ubuntu linux. 
The verification was interrupted after five minutes or when the memory limit of 2GB RAM was ex- 
ceeded (marked in the tables as OOM). The number of discovered symbolic states corresponds to 
the total number of calls to the function AddToPW (including duplicates) and the number of stored 
states is the size of the passed-waiting list at the termination of the algorithm. Verification times 
(in seconds) are highlighted in the bold font. The examples and tool implementation are available at 
http : //people . cs . aau.dk/~kyrke/download/timedart/timedart .tar .gz| 
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Figure 5: Results for three different TGS scaled by the number of tasks 



6.1 Task Graph Scheduling 

The task graph scheduling problem (TGS) is the problem of finding a feasible schedule for a number of 
parallel tasks with given precedence constraints and processing times on a fixed number of homogeneous 
processors 1 17|. The chosen task graphs for two processors were taken from the benchmark [22] such that 
several scheduling problems with different degree of concurrency are included. The models are scaled 
by the number of tasks in the order given by the benchmark and the verification query performed a full 
state-space search. The experimental results are displayed in Figure [5] The data confirm that the time- 
dart verification technique saves both the number of stored/discovered states and noticeably improves 
the verification speed, in particular in the model T155. 

6.2 Bridge Crossing Vikings 

The bridge crossing Vikings is a slightly modified version of the standard planning problem available in 
the official distribution of Uppaal; we only eliminated the used integer variables that are not supported 
in our opaal implementation and are simulated by new locations. The query searched the whole state- 
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Figure 6: Results for bridge crossing scaled by the number of Vikings 
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Figure 7: Results for train level crossing scaled by the number of trains 



space. Verification results are given in Figure [6] The performance of the time-dart algorithm is again 
better than the full discretization, even though in this case the constants in the model are relatively small 
(proportional to the number of Vikings), meaning that the potential of time-darts is not fully exploited. 

6.3 Train Level Crossing 

In train level crossing we consider auto-generated timed automata templates constructed via automatic 
translation ifTTTl from timed-arc Petri net model of a train level-crossing example. The auto-generated 
timed automata were produced by the tool TAPAAL lfT3l and have a rather complex structure that human 
modelers normally never design and hence we can test the potential of the discrete-time engine also for 
the models translated from other time-dependent formalisms. The query we asked searches the whole 
state-space. We list the results in Figures [7] and the experiment demonstiates again the advantage of the 
time-dart verification method. 

6.4 Fischer's Protocol 

The discrete-time techniques are sensitive to the size of the constants present in the model. We have 
therefore scaled our next experiment by the size of the maximal constant (MC) that appears in the model 
in order to demonstrate the main advantage of the time-dart algorithm. For this we use the well known 
Fischer's protocol for ensuring a mutual exclusion between two or more parallel processes [18]. It is 
a standard model for testing the performance of verification tools; we replaced one open interval in 
the model with a closed one such that mutual exclusion is still guaranteed. The concrete version of 
the protocol we verified was created by a translation from timed-arc Petri net model of the protocol fl] 
available as a demo example in the tool TAPAAL [13] . We searched the whole state-space and the results 
are summarized in Figure [8] It is clear that time-darts are superior w.r.t. the scaling of the constants in 
the model, allowing us to verify (within the given limit of 300 seconds) models where the maximum 
constant is 66, opposed to only 1 8 when the full discretization is used. 
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Figure 8: Experimental results for Fischer's mutual exclusion protocol 



7 Conclusion 

We have introduced a new data structure of time-darts in order to represent the reachable state-space of 
closed timed automata models. We showed on a number of experiments that our time-dart reachability 
algorithm achieves a consistently better performance than the explicit search algorithm, improving both 
the speed and memory requirements. This is obvious in particular on models with larger constants 
(as demonstrated in the Fischer's experiment or T 155 task graph) where time-darts provide a compact 
representation of the delay successors and considerably improve both time and memory. 

The algorithms were implemented in the interpreted language Python without any further optimiza- 
tions techniques like partial order and symmetry reductions and advanced extrapolation techniques and 
with only one global maximum constant. This does not allow us to compare its performance directly 
with the state-of-the-art optimized tools for real-time systems. 

An advantage of time-darts and explicit state-space methods in general is that it is relatively easy to 
extend them with additional modelling features like clock invariants and diagonal guards. In our future 
work we will implement the time-dart algorithm in C++ with additional optimizations (e.g. considering 
local constants instead of the global ones) and we shall also consider the verification of liveness proper- 
ties. It is clear that for large enough constants the DBM-search engine will always combat the explicit 
methods (see fT9ll ); our technique can be so seen as a practical alternative to the DBM-engines on the 
subset of models that for example use counting features (like in our introductory example) and where 
DBM state-space representation explodes even for models with small constants. Another line of research 
will focus on further optimizations of the time-dart technique by considering federations of time-darts so 
that the data structure becomes even less sensitive to the scaling of the constants. 
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